Some of them do it in the most obvious sense (i.e. they have manufacturer-provided private key used to sign statements that mean "this enrollment has been processed by a u2f key produced by the manufacturer").

But fair point, if we define "remote attestation" as a mechanism that prevents the user from substituting parts of the system with self-developed replacements then unless the former is used _or_ the user uses a pre-enrolled u2f key, they can always use a software-emulated u2f key.

**artemist** @artemist@mildlyfunctional.gay · Jul 04, 2023, 03:03

**artemist** @artemist@mildlyfunctional.gay · Jul 04, 2023, 03:03

Jul 04, 2023, 03:03

artemist @artemist@mildlyfunctional.gay

@retr0id @robryk Most U2F keys have a certificate signed by the manufacturer used to prove private keys were generated on a specific certified device. They're not manditory and Firefox will give you the option to not forward them.

**Ignas Kiela** @ignaloidas@not.acu.lt · Jul 04, 2023, 05:09

**Ignas Kiela** @ignaloidas@not.acu.lt · Jul 04, 2023, 05:09

Jul 04, 2023, 05:09

Ignas Kiela @ignaloidas@not.acu.lt

@retr0id@retr0.id @robryk@qoto.org there's "enterprise" attestation/signature scheme, but not sure what exactly that entails. But in general they shouldn't do.

**Ignas Kiela** @ignaloidas@not.acu.lt · Jul 04, 2023, 05:13

**Ignas Kiela** @ignaloidas@not.acu.lt · Jul 04, 2023, 05:13

Jul 04, 2023, 05:13

Ignas Kiela @ignaloidas@not.acu.lt

@retr0id@retr0.id @robryk@qoto.org Alright, it seems like that's just adding an ability to track the usage of individual authenticators on websites, but it's supposed to be only possible on websites that have been programmed into the authenticator, so wouldn't really matter for the "consumer devices" part IMO.

Trending now

Resources

Developers

What is Mastodon?

qoto.org

More…